Hi, attached are debdiffs for a ruby-rack DSA, with the same fixes as in sid and buster.
cu Adrian
diffstat for ruby-rack-2.1.4 ruby-rack-2.1.4 changelog | 10 + patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch | 51 ++++++++++ patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch | 46 +++++++++ patches/0003-Fixing-ReDoS-in-header-parsing.patch | 30 +++++ patches/series | 3 5 files changed, 140 insertions(+) diff -Nru ruby-rack-2.1.4/debian/changelog ruby-rack-2.1.4/debian/changelog --- ruby-rack-2.1.4/debian/changelog 2023-06-08 00:52:23.000000000 +0300 +++ ruby-rack-2.1.4/debian/changelog 2024-05-02 23:46:12.000000000 +0300 @@ -1,3 +1,13 @@ +ruby-rack (2.1.4-3+deb11u2) bullseye-security; urgency=medium + + * Non-maintainer upload. + * CVE-2024-25126: ReDoS in Content Type header parsing + * CVE-2024-26141: Reject Range headers which are too large + * CVE-2024-26146: ReDoS in Accept header parsing + * Closes: #1064516 + + -- Adrian Bunk <b...@debian.org> Thu, 02 May 2024 23:46:12 +0300 + ruby-rack (2.1.4-3+deb11u1) bullseye-security; urgency=high * Add patch to restrict broken mime parsing. diff -Nru ruby-rack-2.1.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch ruby-rack-2.1.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch --- ruby-rack-2.1.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch 1970-01-01 02:00:00.000000000 +0200 +++ ruby-rack-2.1.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch 2024-05-02 23:46:12.000000000 +0300 @@ -0,0 +1,51 @@ +From bad2b5be29349b285e08d343f060f7c18065d416 Mon Sep 17 00:00:00 2001 +From: Jean Boussier <jean.bouss...@gmail.com> +Date: Wed, 6 Dec 2023 18:32:19 +0100 +Subject: Avoid 2nd degree polynomial regexp in MediaType + +--- + lib/rack/media_type.rb | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/lib/rack/media_type.rb b/lib/rack/media_type.rb +index 41937c99..7fc1e39d 100644 +--- a/lib/rack/media_type.rb ++++ b/lib/rack/media_type.rb +@@ -4,7 +4,7 @@ module Rack + # Rack::MediaType parse media type and parameters out of content_type string + + class MediaType +- SPLIT_PATTERN = %r{\s*[;,]\s*} ++ SPLIT_PATTERN = /[;,]/ + + class << self + # The media type (type/subtype) portion of the CONTENT_TYPE header +@@ -15,7 +15,11 @@ module Rack + # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7 + def type(content_type) + return nil unless content_type +- content_type.split(SPLIT_PATTERN, 2).first.tap &:downcase! ++ if type = content_type.split(SPLIT_PATTERN, 2).first ++ type.rstrip! ++ type.downcase! ++ type ++ end + end + + # The media type parameters provided in CONTENT_TYPE as a Hash, or +@@ -27,9 +31,10 @@ module Rack + return {} if content_type.nil? + + content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh| ++ s.strip! + k, v = s.split('=', 2) +- +- hsh[k.tap(&:downcase!)] = strip_doublequotes(v) ++ k.downcase! ++ hsh[k] = strip_doublequotes(v) + end + end + +-- +2.30.2 + diff -Nru ruby-rack-2.1.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch ruby-rack-2.1.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch --- ruby-rack-2.1.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch 1970-01-01 02:00:00.000000000 +0200 +++ ruby-rack-2.1.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch 2024-05-02 23:46:12.000000000 +0300 @@ -0,0 +1,46 @@ +From ef52af28b6ac43789fd8fc05df098b56f220f0fa Mon Sep 17 00:00:00 2001 +From: Aaron Patterson <tenderl...@ruby-lang.org> +Date: Tue, 13 Feb 2024 13:34:34 -0800 +Subject: Return an empty array when ranges are too large + +If the sum of the requested ranges is larger than the file itself, +return an empty array. In other words, refuse to respond with any bytes. + +[CVE-2024-26141] +--- + lib/rack/utils.rb | 3 +++ + test/spec_utils.rb | 4 ++++ + 2 files changed, 7 insertions(+) + +diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb +index 16457f90..87c2a946 100644 +--- a/lib/rack/utils.rb ++++ b/lib/rack/utils.rb +@@ -382,6 +382,9 @@ module Rack + end + ranges << (r0..r1) if r0 <= r1 + end ++ ++ return [] if ranges.map(&:size).sum > size ++ + ranges + end + module_function :get_byte_ranges +diff --git a/test/spec_utils.rb b/test/spec_utils.rb +index 5fd92241..67b77b0d 100644 +--- a/test/spec_utils.rb ++++ b/test/spec_utils.rb +@@ -548,6 +548,10 @@ describe Rack::Utils, "cookies" do + end + + describe Rack::Utils, "byte_range" do ++ it "returns an empty list if the sum of the ranges is too large" do ++ assert_equal [], Rack::Utils.byte_ranges({ "HTTP_RANGE" => "bytes=0-20,0-500" }, 500) ++ end ++ + it "ignore missing or syntactically invalid byte ranges" do + Rack::Utils.byte_ranges({}, 500).must_be_nil + Rack::Utils.byte_ranges({ "HTTP_RANGE" => "foobar" }, 500).must_be_nil +-- +2.30.2 + diff -Nru ruby-rack-2.1.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch ruby-rack-2.1.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch --- ruby-rack-2.1.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch 1970-01-01 02:00:00.000000000 +0200 +++ ruby-rack-2.1.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch 2024-05-02 23:46:12.000000000 +0300 @@ -0,0 +1,30 @@ +From 78db2437b784e86027fe332bd61534fbde7040a6 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson <tenderl...@ruby-lang.org> +Date: Wed, 21 Feb 2024 11:05:06 -0800 +Subject: Fixing ReDoS in header parsing + +Thanks svalkanov + +[CVE-2024-26146] +--- + lib/rack/utils.rb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb +index 87c2a946..900eaf60 100644 +--- a/lib/rack/utils.rb ++++ b/lib/rack/utils.rb +@@ -146,8 +146,8 @@ module Rack + module_function :build_nested_query + + def q_values(q_value_header) +- q_value_header.to_s.split(/\s*,\s*/).map do |part| +- value, parameters = part.split(/\s*;\s*/, 2) ++ q_value_header.to_s.split(',').map do |part| ++ value, parameters = part.split(';', 2).map(&:strip) + quality = 1.0 + if parameters && (md = /\Aq=([\d.]+)/.match(parameters)) + quality = md[1].to_f +-- +2.30.2 + diff -Nru ruby-rack-2.1.4/debian/patches/series ruby-rack-2.1.4/debian/patches/series --- ruby-rack-2.1.4/debian/patches/series 2023-06-08 00:51:57.000000000 +0300 +++ ruby-rack-2.1.4/debian/patches/series 2024-05-02 23:46:12.000000000 +0300 @@ -7,3 +7,6 @@ CVE-2022-44572.patch CVE-2023-27530.patch CVE-2023-27539.patch +0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch +0002-Return-an-empty-array-when-ranges-are-too-large.patch +0003-Fixing-ReDoS-in-header-parsing.patch
diffstat for ruby-rack-2.2.6.4 ruby-rack-2.2.6.4 changelog | 10 + patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch | 51 ++++++++++ patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch | 46 +++++++++ patches/0003-Fixing-ReDoS-in-header-parsing.patch | 30 +++++ patches/series | 3 5 files changed, 140 insertions(+) diff -Nru ruby-rack-2.2.6.4/debian/changelog ruby-rack-2.2.6.4/debian/changelog --- ruby-rack-2.2.6.4/debian/changelog 2023-03-23 22:02:43.000000000 +0200 +++ ruby-rack-2.2.6.4/debian/changelog 2024-05-02 23:39:36.000000000 +0300 @@ -1,3 +1,13 @@ +ruby-rack (2.2.6.4-1+deb12u1) bookworm-security; urgency=medium + + * Non-maintainer upload. + * CVE-2024-25126: ReDoS in Content Type header parsing + * CVE-2024-26141: Reject Range headers which are too large + * CVE-2024-26146: ReDoS in Accept header parsing + * Closes: #1064516 + + -- Adrian Bunk <b...@debian.org> Thu, 02 May 2024 23:39:36 +0300 + ruby-rack (2.2.6.4-1) unstable; urgency=medium * Team Upload diff -Nru ruby-rack-2.2.6.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch ruby-rack-2.2.6.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch --- ruby-rack-2.2.6.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch 1970-01-01 02:00:00.000000000 +0200 +++ ruby-rack-2.2.6.4/debian/patches/0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch 2024-05-02 23:11:55.000000000 +0300 @@ -0,0 +1,51 @@ +From 0dd2a6314a1677ba38d2f94b18ecf21a5fbfaa1d Mon Sep 17 00:00:00 2001 +From: Jean Boussier <jean.bouss...@gmail.com> +Date: Wed, 6 Dec 2023 18:32:19 +0100 +Subject: Avoid 2nd degree polynomial regexp in MediaType + +--- + lib/rack/media_type.rb | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/lib/rack/media_type.rb b/lib/rack/media_type.rb +index 41937c99..7fc1e39d 100644 +--- a/lib/rack/media_type.rb ++++ b/lib/rack/media_type.rb +@@ -4,7 +4,7 @@ module Rack + # Rack::MediaType parse media type and parameters out of content_type string + + class MediaType +- SPLIT_PATTERN = %r{\s*[;,]\s*} ++ SPLIT_PATTERN = /[;,]/ + + class << self + # The media type (type/subtype) portion of the CONTENT_TYPE header +@@ -15,7 +15,11 @@ module Rack + # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7 + def type(content_type) + return nil unless content_type +- content_type.split(SPLIT_PATTERN, 2).first.tap &:downcase! ++ if type = content_type.split(SPLIT_PATTERN, 2).first ++ type.rstrip! ++ type.downcase! ++ type ++ end + end + + # The media type parameters provided in CONTENT_TYPE as a Hash, or +@@ -27,9 +31,10 @@ module Rack + return {} if content_type.nil? + + content_type.split(SPLIT_PATTERN)[1..-1].each_with_object({}) do |s, hsh| ++ s.strip! + k, v = s.split('=', 2) +- +- hsh[k.tap(&:downcase!)] = strip_doublequotes(v) ++ k.downcase! ++ hsh[k] = strip_doublequotes(v) + end + end + +-- +2.30.2 + diff -Nru ruby-rack-2.2.6.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch ruby-rack-2.2.6.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch --- ruby-rack-2.2.6.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch 1970-01-01 02:00:00.000000000 +0200 +++ ruby-rack-2.2.6.4/debian/patches/0002-Return-an-empty-array-when-ranges-are-too-large.patch 2024-05-02 23:11:55.000000000 +0300 @@ -0,0 +1,46 @@ +From ca18315cb37dffb378b56a64a6e0cefcb1df8fc0 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson <tenderl...@ruby-lang.org> +Date: Tue, 13 Feb 2024 13:34:34 -0800 +Subject: Return an empty array when ranges are too large + +If the sum of the requested ranges is larger than the file itself, +return an empty array. In other words, refuse to respond with any bytes. + +[CVE-2024-26141] +--- + lib/rack/utils.rb | 3 +++ + test/spec_utils.rb | 4 ++++ + 2 files changed, 7 insertions(+) + +diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb +index c8e61ea1..72700503 100644 +--- a/lib/rack/utils.rb ++++ b/lib/rack/utils.rb +@@ -380,6 +380,9 @@ module Rack + end + ranges << (r0..r1) if r0 <= r1 + end ++ ++ return [] if ranges.map(&:size).sum > size ++ + ranges + end + +diff --git a/test/spec_utils.rb b/test/spec_utils.rb +index 90676258..6b069914 100644 +--- a/test/spec_utils.rb ++++ b/test/spec_utils.rb +@@ -590,6 +590,10 @@ describe Rack::Utils, "cookies" do + end + + describe Rack::Utils, "byte_range" do ++ it "returns an empty list if the sum of the ranges is too large" do ++ assert_equal [], Rack::Utils.byte_ranges({ "HTTP_RANGE" => "bytes=0-20,0-500" }, 500) ++ end ++ + it "ignore missing or syntactically invalid byte ranges" do + Rack::Utils.byte_ranges({}, 500).must_be_nil + Rack::Utils.byte_ranges({ "HTTP_RANGE" => "foobar" }, 500).must_be_nil +-- +2.30.2 + diff -Nru ruby-rack-2.2.6.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch ruby-rack-2.2.6.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch --- ruby-rack-2.2.6.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch 1970-01-01 02:00:00.000000000 +0200 +++ ruby-rack-2.2.6.4/debian/patches/0003-Fixing-ReDoS-in-header-parsing.patch 2024-05-02 23:11:55.000000000 +0300 @@ -0,0 +1,30 @@ +From 3f0a5391ed7118f10bae56b369b2c525942f26c6 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson <tenderl...@ruby-lang.org> +Date: Wed, 21 Feb 2024 11:05:06 -0800 +Subject: Fixing ReDoS in header parsing + +Thanks svalkanov + +[CVE-2024-26146] +--- + lib/rack/utils.rb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb +index 72700503..ccf39e30 100644 +--- a/lib/rack/utils.rb ++++ b/lib/rack/utils.rb +@@ -142,8 +142,8 @@ module Rack + end + + def q_values(q_value_header) +- q_value_header.to_s.split(/\s*,\s*/).map do |part| +- value, parameters = part.split(/\s*;\s*/, 2) ++ q_value_header.to_s.split(',').map do |part| ++ value, parameters = part.split(';', 2).map(&:strip) + quality = 1.0 + if parameters && (md = /\Aq=([\d.]+)/.match(parameters)) + quality = md[1].to_f +-- +2.30.2 + diff -Nru ruby-rack-2.2.6.4/debian/patches/series ruby-rack-2.2.6.4/debian/patches/series --- ruby-rack-2.2.6.4/debian/patches/series 2023-03-23 22:02:43.000000000 +0200 +++ ruby-rack-2.2.6.4/debian/patches/series 2024-05-02 23:39:36.000000000 +0300 @@ -1,3 +1,6 @@ skip-random-failure.patch 0002-Make-tests-pass-on-hosts-that-have-no-ipv4-connectiv.patch skip-unreadable-dir-test.patch +0001-Avoid-2nd-degree-polynomial-regexp-in-MediaType.patch +0002-Return-an-empty-array-when-ranges-are-too-large.patch +0003-Fixing-ReDoS-in-header-parsing.patch